Requests to non-OIDC location result in oidc_check_x_forwarded_hdr warning + Segfault

[mephinet]

Hi, everyone! We've been upgrading our Apache Docker image to php:8.3-apache, which uses Apache/2.4.59 (Debian). We are adding the latest libapache2-mod-auth-openidc version found in the debian repo, currently 2.4.12.3-2+deb12u1.

As the image is running in an Kubernetes deployment behind a reverse proxy, we've set the OIDCXForwardedHeaders header, which assures that the redirect_uri is calculated correctly. So far, everything works fine.

As per Kubernetes best practise, we also configure Apache to serve a static endpoint that can be used to query if it is still alive - in our case /live. This endpoint is meant to be regularly queried by the cluster, and unless 200 is returned, the pod (=process) is restarted.
Of course, this endpoint does not need to be SSO protected, so it is served by a <Location> that does not specify AuthType openid-connect. At the same time, since the request is coming from inside the cluster, there are not Forward headers set.

It turns out, in this setup, we see the following log output:

[Mon Jul 15 14:16:00.952481 2024] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
[Mon Jul 15 14:16:00.952390 2024] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.59 (Debian) PHP/8.3.9 configured -- resuming normal operations
[Mon Jul 15 14:16:12.549078 2024] [auth_openidc:warn] [pid 17] [client 10.128.6.1:57452] oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header Forwarded but not found in request
[Mon Jul 15 14:16:12.549126 2024] [auth_openidc:warn] [pid 18] [client 10.128.6.1:57438] oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header Forwarded but not found in request
[Mon Jul 15 14:16:29.988721 2024] [core:notice] [pid 1] AH00051: child pid 19 exit signal Segmentation fault (11), possible coredump in /etc/apache2

This looks like 2 issues to me:

1. since this request is not served by a <Location> that das OIDC enabled, IMHO the config check should not be performed
2. the segfault

If I disable the requests to the /live endpoint, the Apache is serving requests fine, so it seems to be triggered by this request to a location not configured to perform OIDC...

[zandbelt]

either Debian has to update to a more recent version >= 2.4.15.2 of mod_auth_openidc, or they have to include a patch to avoid this crash (see: c2f200f) or you can download a newer version manually from the Assets section of the Releases page, or you can compile a more recent version manually

[mephinet]

Awesome, thanks! I'll give it a try tomorrow!

[hmoffatt]

Debian unstable has 2.4.15.7, but stable won't be updated with a newer version. If someone files a bug report they might apply the patch though.

[mephinet]

I've created a bug report for applying the patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076429

[mephinet]

In the meantime, we're adding

RequestHeader setifempty Forwarded "${FORWARDED}" early

as a work-around to assure that every request has the configured header (even when fake)

[moschlar]

I will backport the patch and have it included in the next Debian stable point release.